SoS Musings #56 - The Cybersecurity Workforce Gap Remains

SoS Musings #56 -

The Cybersecurity Workforce Gap Remains

The cybersecurity skills gap is still a problem, leaving systems, data, and infrastructures inadequately protected. Cybersecurity remains an in-demand calling as companies in different industries continue to face ransomware attacks, data breaches, nation-state attacks, and more. Such incidents highlight how important it is for all organizations to have a robust cybersecurity strategy. However, the gap in cybersecurity talent for most organizations persists. There are not enough skilled cybersecurity professionals to meet the demand. Cybersecurity professionals are needed to prevent cybercrime, which has increased during the COVID-19 pandemic. The Federal Bureau of Investigation (FBI) collected data for 791,790 suspected Internet crimes in 2020, an increase of 300,000 (69.4 percent) from that of 2019. Between March 12, 2020, and May 15, 2021, the number of Internet crime complaints increased from a total of 5 million to 6 million, revealed the FBI. Previously, the total number of such complaints increased by 1 million between October 2017 and March 2020. With cybercrime continuing to increase, it is important to further cultivate cyber skills and build a skilled cybersecurity workforce to help defend against cybercriminals.



The 2021 (ISC)² Cybersecurity Workforce Study provides two critical measures of the cybersecurity profession—the Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap. The Cybersecurity Workforce Estimate presents an assessment of the available pool of cybersecurity professionals globally. For 2021, (ISC)² estimated that there are 4.19 million cybersecurity professionals worldwide, which is an increase of over 700,000 compared to 2020. The Cybersecurity Workforce Gap, referring to the number of additional professionals needed to protect and defend organizations' critical assets, decreased to 2.72 million in 2021 from 3.12 in 2020. However, these figures together suggest that the size of the cybersecurity workforce is still 65 percent below what it needs to be in order to effectively defend organizations' critical assets from being compromised in cyberattacks. (ISC)² surveyed 4,753 cybersecurity professionals working in small, medium, and large organizations across North America, Europe, Latin America, and Asia-Pacific, 60 percent of which reported that the shortage in cybersecurity staffing is putting their organizations at risk. Based on the survey, all areas of cybersecurity are affected by the shortage of cybersecurity professionals. Participants revealed cybersecurity staff shortages within their organizations in each of the seven areas of common cybersecurity functions defined by the National Initiative for Cybersecurity Education (NICE) Framework. Securely Provision is the area most participants cited as needing more cybersecurity staffing, followed by Analyze, Protect and Defend, Oversee and Govern, Operate and Maintain, Investigate, and Collect and Operate. Staff shortages in these areas negatively impact organizations in different ways.



There are real-life, real-world consequences to having a lack of skilled cybersecurity professionals. The fifth annual global study by the Information Systems Security Association (ISSA) and the industry analyst firm Enterprise Strategy Group (ESG) surveyed 489 cybersecurity professionals, 282 of which revealed the top ramifications of the cybersecurity skills shortage. When asked what type of impact the global cybersecurity skills shortage has had on their organizations, most (62 percent) said it increased the workload on existing staff. In addition, 38 percent of the respondents reported that the skills shortage has led to new security job roles remaining unfilled for weeks or months. In alignment with the mental health theme, 38 percent of the respondents also said the skills shortage has led to high burnout and attrition rate among existing cybersecurity employees. One-third of the respondents said the skills shortage has led to a situation within their organizations where it is difficult for the cybersecurity team to fully learn or apply some security technologies to their full potential. For example, an organization determines that it needs a new security technology for threat prevention, detection, and response. After this determination is made, the organization investigates, purchases, tests, configures, deploys, and operates the technology, as well as provides training to existing staff. However, after much effort is made to implement the technology, the organization still does not have enough professionals or skills to operate it to its fullest potential, thus presenting one of the biggest consequences of the skills shortage. Other ramifications of the cybersecurity skills shortage faced by organizations include the inability to investigate or prioritize security alerts in a timely manner, a disproportionate amount of time spent on high-priority issues or incident response by cybersecurity staff, an increase in the use of third-party services, and an increase in human error associated with cybersecurity tasks.



Improving K-12 education plays a key role in addressing this shortage of skilled cybersecurity employees. A nationally representative 2020 survey from CYBER.ORG, conducted by the EdWeek Research Center, gathered responses on the state of cybersecurity education in K-12 schools from over 900 teachers, principals, and district leaders, which revealed that both students and educators have limited knowledge of cybersecurity. Most of the K-12 educators who responded to the survey (91 percent) reported knowing a little bit about cybersecurity, while only 10 percent said they know enough to provide students an understanding of how connected devices interact in the digital age and how to protect digital assets from cybersecurity vulnerabilities. In addition, less than 50 percent of the respondents said their districts or schools offer cybersecurity education for students. It was also made clear that access to cybersecurity education is infrequent and uneven across communities and educational settings. Students who live in small and high-poverty districts, attend public schools versus private schools, or live in communities without resources such as cybersecurity companies or universities, are significantly less likely to be exposed to cybersecurity education. These findings suggest that privileged students have more opportunities to be exposed to the cybersecurity field. Lack of access to cybersecurity education prevents exposure to relevant coursework that would build interest and skills. To improve K-12 education in cybersecurity, it is essential to ensure access to such education in cybersecurity deserts (i.e., communities with a lack of cybersecurity resources), raise basic levels of knowledge about cybersecurity education among educators, increase the number of schools offering cybersecurity education, and improve efforts to inform students about cybersecurity careers.



Creating various pathways into the cybersecurity workforce for people in underrepresented groups and increasing the recruitment of individuals from such groups can also help address the shortage of talent. Embracing neurodiversity could benefit the cybersecurity field and help fill the cybersecurity workforce gap. Neurodiversity refers to the differences in individual brain function and behavioral traits that are considered part of normal variation in the human population. The idea behind neurodiversity is that neurological differences are known and valued as any other human variation. Neurodiversity covers various neurological conditions, including but not limited to Autism Spectrum Disorder (ASD), Attention Deficit Hyperactivity Disorder (ADHD), and Dyslexia. This year, the National Institute of Standards and Technology's (NIST) 2021 Federal Workforce Summit showcased the advancement of a new Neurodiverse Federal Workforce pilot program at the National Geospatial-Intelligence Agency (NGA). The "Made by Dyslexia" non-profit agency also highlighted how the UK's signals intelligence and information assurance agency actively recruits neurodiverse individuals. The Neurodiverse Federal Workforce pilot program is a joint project involving the NGA, the R&D non-profit MITRE, and the non-profit that helps people with disabilities find employment named Melwood. The program accepted four individuals with neurodiverse conditions as its initial group of cybersecurity trainees and put them through an intensive training and interviews boot camp. After they completed the boot camp, they were placed in geospatial and imagery analysis roles. Both the Federal Workforce Summit and Made by Dyslexia showed how neurodiverse individuals with interest in cybersecurity are finding new opportunities to apply their unique skills and ways of thinking in the government workforce. They also brought further attention to the importance of cybersecurity teams making a greater effort to explore and increase neurodiversity rather than just deferring to the HR department for guidance. To help fill the talent gap, organizations are encouraged to actively recruit neurodiverse individuals and embrace their unique strengths, as well as train managers and employees on how to create a neurodiverse-friendly workplace environment. Companies seeking to hire more cybersecurity professionals should embrace the unique talents of those with neurodiverse conditions by improving efforts to utilize these talents, altering workplace cultures, and changing recruitment processes for such individuals. Bringing cybersecurity training to rural communities and other diverse populations can also help address the cybersecurity workforce shortage. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) awarded $2 million to NPower and CyberWarrior to support the development of cyber workforce training programs geared towards the unemployed and underemployed, the underserved communities in urban and rural areas, and traditionally underserved populations. The populations of focus include veterans, military spouses, women, and people of color. The CISA Director, Jen Easterly, emphasized the importance of addressing the cyber workforce shortage by being proactive in searching and fostering prospective talent in places considered nontraditional. In collaboration with CISA, NPower and CyberWarrior will develop a scalable and replicable proof-of-concept program to identify and train talented individuals in cybersecurity. The three-year pilot program will develop and implement a comprehensive cybersecurity pathways retention strategy, deliver entry-level cybersecurity training using innovative training hubs, provide hands-on experience through apprenticeships, and put talented individuals in entry-level cybersecurity jobs to decrease the cyber workforce shortage. Such efforts must continue to be made in order to create a robust, skilled, and diverse workforce.



Cybersecurity is a critical and quickly changing career field where the demand for professionals is increasingly outpacing the supply of skilled employees. It is important to further explore and develop additional efforts towards building a larger skilled cybersecurity workforce.